mauirixxx
/
gwst
1
0
Forka 0
Codice Problemi 5 Pull Requests 0 Rilasci 0 Wiki Attività
Guild Wars stat tracking The idea behind this is to track multiple characters individual stats as well as account stats.
Non puoi selezionare più di 25 argomenti Gli argomenti devono iniziare con una lettera o un numero, possono includere trattini ('-') e possono essere lunghi fino a 35 caratteri.
16 Commit
2 Rami (Branch)
122 KiB
 
 
 
 
 
Albero (Tree): 12d929623c
Rami (Branch) Tag
${ item.name }
Crea branch ${ searchTerm }
da '12d929623c'
${ noResults }
gwst/lib/password.php

317 righe
12 KiB
Originale Blame Cronologia 

  1. <?php

  2. /**

  3.  * A Compatibility library with PHP 5.5's simplified password hashing API.

  4.  *

  5.  * @author Anthony Ferrara <[email protected]>

  6.  * @license http://www.opensource.org/licenses/mit-license.html MIT License

  7.  * @copyright 2012 The Authors

  8.  */

  9. 

  10. namespace {

  11. 

  12.     if (!defined('PASSWORD_BCRYPT')) {

  13.         /**

  14.          * PHPUnit Process isolation caches constants, but not function declarations.

  15.          * So we need to check if the constants are defined separately from 

  16.          * the functions to enable supporting process isolation in userland

  17.          * code.

  18.          */

  19.         define('PASSWORD_BCRYPT', 1);

  20.         define('PASSWORD_DEFAULT', PASSWORD_BCRYPT);

  21.         define('PASSWORD_BCRYPT_DEFAULT_COST', 10);

  22.     }

  23. 

  24.     if (!function_exists('password_hash')) {

  25. 

  26.         /**

  27.          * Hash the password using the specified algorithm

  28.          *

  29.          * @param string $password The password to hash

  30.          * @param int    $algo     The algorithm to use (Defined by PASSWORD_* constants)

  31.          * @param array  $options  The options for the algorithm to use

  32.          *

  33.          * @return string|false The hashed password, or false on error.

  34.          */

  35.         function password_hash($password, $algo, array $options = array()) {

  36.             if (!function_exists('crypt')) {

  37.                 trigger_error("Crypt must be loaded for password_hash to function", E_USER_WARNING);

  38.                 return null;

  39.             }

  40.             if (is_null($password) || is_int($password)) {

  41.                 $password = (string) $password;

  42.             }

  43.             if (!is_string($password)) {

  44.                 trigger_error("password_hash(): Password must be a string", E_USER_WARNING);

  45.                 return null;

  46.             }

  47.             if (!is_int($algo)) {

  48.                 trigger_error("password_hash() expects parameter 2 to be long, " . gettype($algo) . " given", E_USER_WARNING);

  49.                 return null;

  50.             }

  51.             $resultLength = 0;

  52.             switch ($algo) {

  53.                 case PASSWORD_BCRYPT:

  54.                     $cost = PASSWORD_BCRYPT_DEFAULT_COST;

  55.                     if (isset($options['cost'])) {

  56.                         $cost = (int) $options['cost'];

  57.                         if ($cost < 4 || $cost > 31) {

  58.                             trigger_error(sprintf("password_hash(): Invalid bcrypt cost parameter specified: %d", $cost), E_USER_WARNING);

  59.                             return null;

  60.                         }

  61.                     }

  62.                     // The length of salt to generate

  63.                     $raw_salt_len = 16;

  64.                     // The length required in the final serialization

  65.                     $required_salt_len = 22;

  66.                     $hash_format = sprintf("$2y$%02d$", $cost);

  67.                     // The expected length of the final crypt() output

  68.                     $resultLength = 60;

  69.                     break;

  70.                 default:

  71.                     trigger_error(sprintf("password_hash(): Unknown password hashing algorithm: %s", $algo), E_USER_WARNING);

  72.                     return null;

  73.             }

  74.             $salt_req_encoding = false;

  75.             if (isset($options['salt'])) {

  76.                 switch (gettype($options['salt'])) {

  77.                     case 'NULL':

  78.                     case 'boolean':

  79.                     case 'integer':

  80.                     case 'double':

  81.                     case 'string':

  82.                         $salt = (string) $options['salt'];

  83.                         break;

  84.                     case 'object':

  85.                         if (method_exists($options['salt'], '__tostring')) {

  86.                             $salt = (string) $options['salt'];

  87.                             break;

  88.                         }

  89.                     case 'array':

  90.                     case 'resource':

  91.                     default:

  92.                         trigger_error('password_hash(): Non-string salt parameter supplied', E_USER_WARNING);

  93.                         return null;

  94.                 }

  95.                 if (PasswordCompat\binary\_strlen($salt) < $required_salt_len) {

  96.                     trigger_error(sprintf("password_hash(): Provided salt is too short: %d expecting %d", PasswordCompat\binary\_strlen($salt), $required_salt_len), E_USER_WARNING);

  97.                     return null;

  98.                 } elseif (0 == preg_match('#^[a-zA-Z0-9./]+$#D', $salt)) {

  99.                     $salt_req_encoding = true;

  100.                 }

  101.             } else {

  102.                 $buffer = '';

  103.                 $buffer_valid = false;

  104.                 if (function_exists('mcrypt_create_iv') && !defined('PHALANGER')) {

  105.                     $buffer = mcrypt_create_iv($raw_salt_len, MCRYPT_DEV_URANDOM);

  106.                     if ($buffer) {

  107.                         $buffer_valid = true;

  108.                     }

  109.                 }

  110.                 if (!$buffer_valid && function_exists('openssl_random_pseudo_bytes')) {

  111.                     $strong = false;

  112.                     $buffer = openssl_random_pseudo_bytes($raw_salt_len, $strong);

  113.                     if ($buffer && $strong) {

  114.                         $buffer_valid = true;

  115.                     }

  116.                 }

  117.                 if (!$buffer_valid && @is_readable('/dev/urandom')) {

  118.                     $file = fopen('/dev/urandom', 'r');

  119.                     $read = 0;

  120.                     $local_buffer = '';

  121.                     while ($read < $raw_salt_len) {

  122.                         $local_buffer .= fread($file, $raw_salt_len - $read);

  123.                         $read = PasswordCompat\binary\_strlen($local_buffer);

  124.                     }

  125.                     fclose($file);

  126.                     if ($read >= $raw_salt_len) {

  127.                         $buffer_valid = true;

  128.                     }

  129.                     $buffer = str_pad($buffer, $raw_salt_len, "\0") ^ str_pad($local_buffer, $raw_salt_len, "\0");

  130.                 }

  131.                 if (!$buffer_valid || PasswordCompat\binary\_strlen($buffer) < $raw_salt_len) {

  132.                     $buffer_length = PasswordCompat\binary\_strlen($buffer);

  133.                     for ($i = 0; $i < $raw_salt_len; $i++) {

  134.                         if ($i < $buffer_length) {

  135.                             $buffer[$i] = $buffer[$i] ^ chr(mt_rand(0, 255));

  136.                         } else {

  137.                             $buffer .= chr(mt_rand(0, 255));

  138.                         }

  139.                     }

  140.                 }

  141.                 $salt = $buffer;

  142.                 $salt_req_encoding = true;

  143.             }

  144.             if ($salt_req_encoding) {

  145.                 // encode string with the Base64 variant used by crypt

  146.                 $base64_digits =

  147.                     'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';

  148.                 $bcrypt64_digits =

  149.                     './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';

  150. 

  151.                 $base64_string = base64_encode($salt);

  152.                 $salt = strtr(rtrim($base64_string, '='), $base64_digits, $bcrypt64_digits);

  153.             }

  154.             $salt = PasswordCompat\binary\_substr($salt, 0, $required_salt_len);

  155. 

  156.             $hash = $hash_format . $salt;

  157. 

  158.             $ret = crypt($password, $hash);

  159. 

  160.             if (!is_string($ret) || PasswordCompat\binary\_strlen($ret) != $resultLength) {

  161.                 return false;

  162.             }

  163. 

  164.             return $ret;

  165.         }

  166. 

  167.         /**

  168.          * Get information about the password hash. Returns an array of the information

  169.          * that was used to generate the password hash.

  170.          *

  171.          * array(

  172.          *    'algo' => 1,

  173.          *    'algoName' => 'bcrypt',

  174.          *    'options' => array(

  175.          *        'cost' => PASSWORD_BCRYPT_DEFAULT_COST,

  176.          *    ),

  177.          * )

  178.          *

  179.          * @param string $hash The password hash to extract info from

  180.          *

  181.          * @return array The array of information about the hash.

  182.          */

  183.         function password_get_info($hash) {

  184.             $return = array(

  185.                 'algo' => 0,

  186.                 'algoName' => 'unknown',

  187.                 'options' => array(),

  188.             );

  189.             if (PasswordCompat\binary\_substr($hash, 0, 4) == '$2y$' && PasswordCompat\binary\_strlen($hash) == 60) {

  190.                 $return['algo'] = PASSWORD_BCRYPT;

  191.                 $return['algoName'] = 'bcrypt';

  192.                 list($cost) = sscanf($hash, "$2y$%d$");

  193.                 $return['options']['cost'] = $cost;

  194.             }

  195.             return $return;

  196.         }

  197. 

  198.         /**

  199.          * Determine if the password hash needs to be rehashed according to the options provided

  200.          *

  201.          * If the answer is true, after validating the password using password_verify, rehash it.

  202.          *

  203.          * @param string $hash    The hash to test

  204.          * @param int    $algo    The algorithm used for new password hashes

  205.          * @param array  $options The options array passed to password_hash

  206.          *

  207.          * @return boolean True if the password needs to be rehashed.

  208.          */

  209.         function password_needs_rehash($hash, $algo, array $options = array()) {

  210.             $info = password_get_info($hash);

  211.             if ($info['algo'] !== (int) $algo) {

  212.                 return true;

  213.             }

  214.             switch ($algo) {

  215.                 case PASSWORD_BCRYPT:

  216.                     $cost = isset($options['cost']) ? (int) $options['cost'] : PASSWORD_BCRYPT_DEFAULT_COST;

  217.                     if ($cost !== $info['options']['cost']) {

  218.                         return true;

  219.                     }

  220.                     break;

  221.             }

  222.             return false;

  223.         }

  224. 

  225.         /**

  226.          * Verify a password against a hash using a timing attack resistant approach

  227.          *

  228.          * @param string $password The password to verify

  229.          * @param string $hash     The hash to verify against

  230.          *

  231.          * @return boolean If the password matches the hash

  232.          */

  233.         function password_verify($password, $hash) {

  234.             if (!function_exists('crypt')) {

  235.                 trigger_error("Crypt must be loaded for password_verify to function", E_USER_WARNING);

  236.                 return false;

  237.             }

  238.             $ret = crypt($password, $hash);

  239.             if (!is_string($ret) || PasswordCompat\binary\_strlen($ret) != PasswordCompat\binary\_strlen($hash) || PasswordCompat\binary\_strlen($ret) <= 13) {

  240.                 return false;

  241.             }

  242. 

  243.             $status = 0;

  244.             for ($i = 0; $i < PasswordCompat\binary\_strlen($ret); $i++) {

  245.                 $status |= (ord($ret[$i]) ^ ord($hash[$i]));

  246.             }

  247. 

  248.             return $status === 0;

  249.         }

  250.     }

  251. 

  252. }

  253. 

  254. namespace PasswordCompat\binary {

  255. 

  256.     if (!function_exists('PasswordCompat\\binary\\_strlen')) {

  257. 

  258.         /**

  259.          * Count the number of bytes in a string

  260.          *

  261.          * We cannot simply use strlen() for this, because it might be overwritten by the mbstring extension.

  262.          * In this case, strlen() will count the number of *characters* based on the internal encoding. A

  263.          * sequence of bytes might be regarded as a single multibyte character.

  264.          *

  265.          * @param string $binary_string The input string

  266.          *

  267.          * @internal

  268.          * @return int The number of bytes

  269.          */

  270.         function _strlen($binary_string) {

  271.             if (function_exists('mb_strlen')) {

  272.                 return mb_strlen($binary_string, '8bit');

  273.             }

  274.             return strlen($binary_string);

  275.         }

  276. 

  277.         /**

  278.          * Get a substring based on byte limits

  279.          *

  280.          * @see _strlen()

  281.          *

  282.          * @param string $binary_string The input string

  283.          * @param int    $start

  284.          * @param int    $length

  285.          *

  286.          * @internal

  287.          * @return string The substring

  288.          */

  289.         function _substr($binary_string, $start, $length) {

  290.             if (function_exists('mb_substr')) {

  291.                 return mb_substr($binary_string, $start, $length, '8bit');

  292.             }

  293.             return substr($binary_string, $start, $length);

  294.         }

  295. 

  296.         /**

  297.          * Check if current PHP version is compatible with the library

  298.          *

  299.          * @return boolean the check result

  300.          */

  301.         function check() {

  302.             static $pass = NULL;

  303. 

  304.             if (is_null($pass)) {

  305.                 if (function_exists('crypt')) {

  306.                     $hash = '$2y$04$usesomesillystringfore7hnbRJHxXVLeakoG8K30oukPsA.ztMG';

  307.                     $test = crypt("password", $hash);

  308.                     $pass = $test == $hash;

  309.                 } else {

  310.                     $pass = false;

  311.                 }

  312.             }

  313.             return $pass;

  314.         }

  315. 

  316.     }

  317. }